[unisog] Password policies

Jenkins, Matthew mjenkins7 at fairmontstate.edu
Wed Apr 19 17:42:36 GMT 2006

Not rotating passwords gives a potential attacker a longer time period
to guess the password.  The attack could be performed over a long time
period to avoid lock out periods, etc.  Of course, we would be talking
months or even years in most cases.

However, someone having knowledge of the foundation of the password
could perform the attack quicker.  For example, if I knew a coworker's
password had something to do with their dog's name, but I wasn't sure
what other characters surrounded or composed the actual password, I
could start an attack looking for passwords that dealt with only the
dog's name.

Also, if a password is stolen, it would be better to limit the time
period the intruder had access.  Forcing the password to change would
take care of that.

You are definitely right that frequent changes as well as difficult
password rules encourage written passwords.  I never understood why
organizations try to enforce extremely complex password policies only to
have their employees stick passwords to their monitors, under their
keyboards, or hidden in desk drawers.


Matthew Jenkins
Network/Server Administrator
Fairmont State University
AOL: MLJenkinsCom  Yahoo: mljenkins  ICQ: 8116624  MSN
Visit us online at www.fairmontstate.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
Sent: Wednesday, April 19, 2006 1:12 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Password policies

Requiring frequent changes only pushes people to writing the passwords
on sticky notes stuck to their monitors.  Is there any data to support
the idea that changing every 3 months is better than changing every
3 decades?  If a stolen password hasn't been used in a few days, will
it ever be used?

More information about the unisog mailing list